---
layout: docs
page_title: Azure Key Vault - Seals - Configuration
description: >-
  The Azure Key Vault seal configures Boundary to use Azure Key Vault for key management.
---

# `azurekeyvault` KMS

The Azure Key Vault KMS configures Vault to use Azure Key Vault for key management.
The Azure Key Vault KMS is activated by one of the following:

- The presence of a `seal "azurekeyvault"` block in Boundary's configuration file.

## `azurekeyvault` Example

This example shows configuring Azure Key Vault KMS through the Boundary
configuration file by providing all the required values:

```hcl
kms "azurekeyvault" {
  purpose        = "root"
  tenant_id      = "46646709-b63e-4747-be42-516edeaf1e14"
  client_id      = "03dc33fc-16d9-4b77-8152-3ec568f8af6e"
  client_secret  = "DUJDS3..."
  vault_name     = "hc-vault"
  key_name       = "vault_key"
}
```

## `azurekeyvault` Parameters

These parameters apply to the `kms` stanza in the Vault configuration file:

- `purpose` - Purpose of this KMS, acceptable values are: `worker-auth`, `worker-auth-storage`,
   `root`, `previous-root`, `recovery`, or `config`.

- `tenant_id` `(string: <required>)`: The tenant id for the Azure Active Directory organization. May
  also be specified by the `AZURE_TENANT_ID` environment variable.

- `client_id` `(string: <required or MSI>)`: The client id for credentials to query the Azure APIs.
  May also be specified by the `AZURE_CLIENT_ID` environment variable.

- `client_secret` `(string: <required or MSI>)`: The client secret for credentials to query the Azure APIs.
  May also be specified by the `AZURE_CLIENT_SECRET` environment variable.

- `environment` `(string: "AZUREPUBLICCLOUD")`: The Azure Cloud environment API endpoints to use. May also
  be specified by the `AZURE_ENVIRONMENT` environment variable.

- `vault_name` `(string: <required>)`: The Key Vault vault to use the encryption keys for encryption and
  decryption. May also be specified by the `AZUREKEYVAULT_WRAPPER_VAULT_NAME` environment variable.

- `key_name` `(string: <required>)`: The Key Vault key to use for encryption and decryption. May also be specified by the
  `AZUREKEYVAULT_WRAPPER_KEY_NAME` environment variable.

## Authentication

Authentication-related values must be provided, either as environment
variables or as configuration parameters.

Azure authentication values:

- `AZURE_TENANT_ID`
- `AZURE_CLIENT_ID`
- `AZURE_CLIENT_SECRET`
- `AZURE_ENVIRONMENT`
